Wazuh (new) Integration required steps

[Josip Domšić]

Hello!

I've created an integration for some events (similar to existing ones: VirusTotal, Slack, ...).

Created files:
 - /var/ossec/integrations/integration.py (read alert.json and output to ossec/queue)
 - /var/ossec/rules/local_rules.xml

When I run the integration I can see the alerts (both in ELK and in the emails).

What else do I need to do to run the integration continuously (changes to integratord ?)?
I'd like to avoid compiling ossec/wazuh binaries from source if at all possible.

[Josip Domšić]

Hi,

I figured to changed the switch the existing binary (e.g. virtustotal) source code and 

modify /var/ossec/etc/ossec.conf accordingly.

I've already enabled integratord and can see the logs it's working.

However, do you have any instructions on how to trigger the specific alert (some curl command)?

Currently I see:

2018/03/06 12:53:26 ossec-integratord: DEBUG: sending new alert.

2018/03/06 12:53:26 ossec-integratord: DEBUG: skipping: group doesn't match

[pablo....@wazuh.com]

Hello Josip,

My name is Pablo and i'm here to help you.

To test the functionality of your integration you can do it using the /var/ossec/bin/ossec-logtest tool as you can see in the next capture:



1) First execute ossec-logtest binary.
2) Paste log entry sample.

In the example I used an PAM log to launch an alert, which in this case is level 5.

I hope this help you, if you have any other question don't hesitate to contact us.

Best regard,
Pablo.

On Monday, March 5, 2018 at 7:30:03 PM UTC+1, Josip Domšić wrote:

[josip....@gmail.com]

Hi,

I'm finishing up with your help :)

How can I compile ossec-integratord?
When I run:  --> make -j5 TARGET=server PREFIX=/var/ossec <--- the binary has unresolved dependecy
$ ./ossec-integratord
./ossec-integratord: error while loading shared libraries: libwazuhext.so: cannot open shared object file: No such file or director

But when I run: --> make -j5 TARGET=server PREFIX=/var/ossec  DISABLE_SHARED=yes <--- there is an issue

$ make -j5 TARGET=server PREFIX=/var/ossec DISABLE_SHARED=yes
make ossec-maild - ossec-csyslogd - ossec-agentlessd - ossec-execd - ossec-logcollector - ossec-remoted ossec-agentd manage_agents utils ossec-syscheckd ossec-monitord ossec-reportd ossec-authd ossec-analysisd ossec-logtest ossec-makelists ossec-dbd - ossec-integratord wazuh-modulesd wazuh-db
make[1]: Entering directory '/home/user/wazuh/src'
    CC ossec-maild
    CC ossec-csyslogd
    CC ossec-agentlessd
    CC ossec-logcollector
    CC ossec-execd
external/curl/lib/.libs/libcurl.a(libcurl_la-openssl.o): In function `Curl_ossl_version':
openssl.c:(.text+0x1334): undefined reference to `OpenSSL_version_num'
external/curl/lib/.libs/libcurl.a(libcurl_la-openssl.o): In function `Curl_ossl_seed.part.4':
openssl.c:(.text+0x17da): undefined reference to `RAND_file_name'
openssl.c:(.text+0x17f0): undefined reference to `RAND_load_file'
external/curl/lib/.libs/libcurl.a(libcurl_la-openssl.o): In function `Curl_ossl_seed':
openssl.c:(.text+0x1878): undefined reference to `RAND_load_file'
external/curl/lib/.libs/libcurl.a(libcurl_la-openssl.o): In function `ossl_connect_step1':
openssl.c:(.text+0x1eb5): undefined reference to `BIO_f_ssl'
openssl.c:(.text+0x23bd): undefined reference to `PKCS12_parse'
external/curl/lib/.libs/libcurl.a(libcurl_la-openssl.o): In function `servercert':
openssl.c:(.text+0x421a): undefined reference to `OCSP_basic_verify'
openssl.c:(.text+0x42cc): undefined reference to `OCSP_cert_status_str'
openssl.c:(.text+0x4a34): undefined reference to `OCSP_response_status_str'
openssl.c:(.text+0x4bfd): undefined reference to `OCSP_crl_reason_str'
collect2: error: ld returned 1 exit status

Can you help me?

[Pedro Sánchez]

Hi Josip,

Are you working with the latest stable release branch? I will need to know what version/branch are you using from Github so I can deep dive and help you with the compilation.

I hope you can take a look at this documentation: https://documentation.wazuh.com/current/installation-guide/installing-wazuh-server/sources_installation.html

It explains how to install the Manager from sources, including compiling the source code (therefore compiling ossec-integratord).

If you are not interested in compiling the code, I recommend you to use RPM/DEB packages, it will be easier to install the software and manage future upgrades.

You can read about how to install Wazuh using rpm/deb packages here: https://documentation.wazuh.com/current/installation-guide/installing-wazuh-server/index.html

I hope it helps.

Regards,

Pedro 'snaow' Sanchez.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cfbc006f-9f7b-485f-89a6-f73eb57ccc18%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[josip....@gmail.com]

I'm using master branch (as integration source hasn't been modified lately).

Yes, I'm been following the sources installation guide, but no luck. 
(paraphrase: "make deps, make server" fails)